1 / 19

Single Sign-On with GRID Certificates

Single Sign-On with GRID Certificates. Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003. Outline. Motivation and goals Authentication mechanisms Implementing web single sign-on Mapping certificates to accounts Providing certificates to users Current status

kylene
Télécharger la présentation

Single Sign-On with GRID Certificates

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7th Collaboration Meeting July 2003

  2. Outline • Motivation and goals • Authentication mechanisms • Implementing web single sign-on • Mapping certificates to accounts • Providing certificates to users • Current status • Summary and conclusions

  3. Motivation and goals • The GRID environment offers: • A lot of computing power • The possibility to execute big and complex applications • But GRID users will also need basic services: • Mail • Web • Access to administrative procedures • We want to integrate the services for GRID and local users • Cross-platform authentication • Single sign-on

  4. Authentication mechanisms • PKI/Certificates • Off-line authentication • Someone (CA) signs a document saying who I am • The service verifies the signature • Used across platforms • Standard extension mechanisms • Kerberos tickets • On-line authentication • Someone (KDC) tells the service that I am really who I claim to be • Intra-site security mechanism (used by Unix and Microsoft)

  5. Implementing single sign-on • Users coming from GRID and local Unix and Windows environments • Services are multi-platform (Unix/Windows) • Logon and Authentication mechanisms are different • A user must type his/her credentials again and again • Solution? • We will focus on web services

  6. Single sign-on via web Services Web Server User Impersonation Delegation • The user must provide a valid PKI/Certificate • We must trust the web server: it will impersonate the user! • Complex scenario: many possibilities

  7. Impersonation in Apache/Unix • Direct impersonation via Certificates • Privileged server • DB to map certificates into accounts • The service runs as the user owning the certificate (login) • Impersonation via Kerberos ticket • The service acquires the user ticket to access the resources • It should get Kerberos ticket from the certificate • May use extra software: Kerberos leveraged PKI • KCT (Kerberos Certificate Translation) • Mod_KCT (Apache module)

  8. Impersonation in MS web servers • Based on the Windows Identity Mapping mechanism • Maps a certificate to a Windows account (logon) • The identity mapping is set in the Active Directory • Common for the whole domain • Provides an internal ticket • Allows accessing windows resources

  9. Windows identity mapping • Two flavors: manual and automatic • In manual mapping, the administrator must specify which certificate maps into which account (can be done programmatically) • In automatic mapping, the certificate must contain an extension with the User Principal Name (UPN) of the account • No explicit mapping is needed • Originally designed for smart cards

  10. Integrating external GRID users • Local account for GRID users? • Users not registered locally, but having valid GRID certificates • How to handle them (Unix/Windows)? • Validate the certificate • Create account on-the-fly • Assign new user to appropriate groups • Map the certificate to the new account • Delete the account at user ‘logout’

  11. So far… • Web services can be configured to use certificates for authentication • We should be able to use GRID certificates to access these services • Possibly adding some extensions • …Now we need to integrate the local users • How can we easily provide them with certificates ?

  12. Providing certificates to users • GRID users already have a certificate • The others… • At CERN, both local Unix and Windows users receive a Kerberos ticket during logon • We can issue a PKI/Certificate from a Kerberos ticket • KCA (Kerberized CA)

  13. Integrating non-GRID users • Kerberos Leveraged PKI KDC Login KCA Browser Web Server Credential Cache LibPKCS11

  14. Tools • KCA (Kerberized CA) supports Kerberos V (Windows 2000 compatible) • KCA clients are available for Unix and Windows • PKCS11 library (smart card emulation) is also available for Unix and Windows

  15. Issues • Interoperability puts extra requirements in the certificates • Specific extensions • Revocation lists • … • It depends on many components • Some of them not completely stable or ready for production • The server must be able to • Accept the certificate • Identify the account to which the certificate refers

  16. The integrated view Win Box Resources AD OpenSSL CA MIT KDC Windows 2000 KDC Linux KCA Windows 2000 IIS 5.0 Certificate Template Unix Apache KCT Mod_KCT LinuxBox Lib PKCS11 Web Browser GRID Certificates

  17. Summary and conclusions • It is possible • To integrateGRID and local infrastructure services • Provide cross-platformSingle Sign-on using GRID authentication mechanisms (i.e. PKI/Certificates ) • But full functionality has issues… • Lots of components involved (KDC, KCA, AD…) • Compatibility (not fully documented requirements) • Is the complexity worth while? • Over-complex for a reliable service today • But the components are being used/developed in other areas

  18. Summary and conclusions • Nevertheless, it is an interesting mechanism • Web services are widely spread • Can be shared by GRID and non-Grid users • Smooth transition from non-GRID to GRID • Partial functionality is possible and ready to work • Mapping long term certificates • Some of the tools are being actively developed • We’ve heard of some related success stories 

  19. Questions?

More Related